Allow leading v on commit message versions (#338)

Previously, a leading `v` on the version in the commit message (eg, `Bumps org/repo from v1.3.0 to v1.3.2.`) did not populate the `previous-version` and `new-version`, so was also unable to calculate the proper `update-type`. This fixes that. Fix #244
dependabot · Apr 12, 2023 · 919f913 · 919f913
1 parent 173b40e
commit 919f913
Show file tree

Hide file tree

Showing 4 changed files with 112 additions and 8 deletions.
diff --git a/dist/index.js b/dist/index.js
diff --git a/src/dependabot/update_metadata.test.ts b/src/dependabot/update_metadata.test.ts
@@ -119,6 +119,41 @@ test('it supports multiple dependencies within a single fragment', async () => {
   expect(updatedDependencies[1].cvss).toEqual(0)
 })
 
+test('it returns the updated dependency information when there is a leading v in the commit message versions', async () => {
+  const commitMessage =
+    'Bumps [coffee-rails](https://github.com/rails/coffee-rails) from v4.0.1 to v4.2.2.\n' +
+    '- [Release notes](https://github.com/rails/coffee-rails/releases)\n' +
+    '- [Changelog](https://github.com/rails/coffee-rails/blob/master/CHANGELOG.md)\n' +
+    '- [Commits](rails/coffee-rails@v4.0.1...v4.2.2)\n' +
+    '\n' +
+    '---\n' +
+    'updated-dependencies:\n' +
+    '- dependency-name: coffee-rails\n' +
+    '  dependency-type: direct:production\n' +
+    '...\n' +
+    '\n' +
+    'Signed-off-by: dependabot[bot] <support@github.com>'
+
+  const getAlert = async () => Promise.resolve({ alertState: 'DISMISSED', ghsaId: 'GHSA-III-BBB', cvss: 4.6 })
+  const getScore = async () => Promise.resolve(43)
+  const updatedDependencies = await updateMetadata.parse(commitMessage, 'dependabot/nuget/coffee-rails', 'main', getAlert, getScore)
+
+  expect(updatedDependencies).toHaveLength(1)
+
+  expect(updatedDependencies[0].dependencyName).toEqual('coffee-rails')
+  expect(updatedDependencies[0].dependencyType).toEqual('direct:production')
+  expect(updatedDependencies[0].updateType).toEqual('version-update:semver-minor')
+  expect(updatedDependencies[0].directory).toEqual('/')
+  expect(updatedDependencies[0].packageEcosystem).toEqual('nuget')
+  expect(updatedDependencies[0].targetBranch).toEqual('main')
+  expect(updatedDependencies[0].prevVersion).toEqual('v4.0.1')
+  expect(updatedDependencies[0].newVersion).toEqual('v4.2.2')
+  expect(updatedDependencies[0].compatScore).toEqual(43)
+  expect(updatedDependencies[0].alertState).toEqual('DISMISSED')
+  expect(updatedDependencies[0].ghsaId).toEqual('GHSA-III-BBB')
+  expect(updatedDependencies[0].cvss).toEqual(4.6)
+})
+
 test('it only returns information within the first fragment if there are multiple yaml documents', async () => {
   const commitMessage =
     '- [Release notes](https://github.com/rails/coffee-rails/releases)\n' +

diff --git a/src/dependabot/update_metadata.ts b/src/dependabot/update_metadata.ts
@@ -27,8 +27,8 @@ export interface scoreLookup {
 }
 
 export async function parse (commitMessage: string, branchName: string, mainBranch: string, lookup?: alertLookup, getScore?: scoreLookup): Promise<Array<updatedDependency>> {
-  const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>\d[^ ]*) to (?<to>\d[^ ]*)\.$/m)
-  const updateFragment = commitMessage.match(/^Update .* requirement from \S*? ?(?<from>\d[^ ]*) to \S*? ?(?<to>\d[^ ]*)$/m)
+  const bumpFragment = commitMessage.match(/^Bumps .* from (?<from>v?\d[^ ]*) to (?<to>v?\d[^ ]*)\.$/m)
+  const updateFragment = commitMessage.match(/^Update .* requirement from \S*? ?(?<from>v?\d[^ ]*) to \S*? ?(?<to>v?\d[^ ]*)$/m)
   const yamlFragment = commitMessage.match(/^-{3}\n(?<dependencies>[\S|\s]*?)\n^\.{3}\n/m)
   const lookupFn = lookup ?? (() => Promise.resolve({ alertState: '', ghsaId: '', cvss: 0 }))
   const scoreFn = getScore ?? (() => Promise.resolve(0))
@@ -72,8 +72,8 @@ export function calculateUpdateType (lastVersion: string, nextVersion: string) {
     return ''
   }
 
-  const lastParts = lastVersion.split('.')
-  const nextParts = nextVersion.split('.')
+  const lastParts = lastVersion.replace('v', '').split('.')
+  const nextParts = nextVersion.replace('v', '').split('.')
 
   if (lastParts[0] !== nextParts[0]) {
     return 'version-update:semver-major'

diff --git a/src/main.test.ts b/src/main.test.ts
@@ -132,6 +132,75 @@ test('it sets the updated dependency as an output for subsequent actions when gi
   expect(core.setOutput).toBeCalledWith('cvss', 0)
 })
 
+test('it sets the updated dependency as an output for subsequent actions when there is a leading v in the commit message version', async () => {
+  const mockCommitMessage =
+    'Bumps [coffee-rails](https://github.com/rails/coffee-rails) from v4.0.1 to v4.2.2.\n' +
+    '- [Release notes](https://github.com/rails/coffee-rails/releases)\n' +
+    '- [Changelog](https://github.com/rails/coffee-rails/blob/master/CHANGELOG.md)\n' +
+    '- [Commits](rails/coffee-rails@v4.0.1...v4.2.2)\n' +
+    '\n' +
+    '---\n' +
+    'updated-dependencies:\n' +
+    '- dependency-name: coffee-rails\n' +
+    '  dependency-type: direct:production\n' +
+    '...\n' +
+    '\n' +
+    'Signed-off-by: dependabot[bot] <support@github.com>'
+  const mockAlert = { alertState: 'FIXED', ghsaId: 'GSHA', cvss: 3.4 }
+
+  jest.spyOn(core, 'getInput').mockImplementation(jest.fn((name) => { return name === 'github-token' ? 'mock-token' : '' }))
+  jest.spyOn(util, 'getBranchNames').mockReturnValue({ headName: 'dependabot|nuget|feature1', baseName: 'main' })
+  jest.spyOn(dependabotCommits, 'getMessage').mockImplementation(jest.fn(
+    () => Promise.resolve(mockCommitMessage)
+  ))
+  jest.spyOn(dependabotCommits, 'getAlert').mockImplementation(jest.fn(
+    () => Promise.resolve(mockAlert)
+  ))
+  jest.spyOn(dependabotCommits, 'getCompatibility').mockImplementation(jest.fn(
+    () => Promise.resolve(34)
+  ))
+  jest.spyOn(core, 'setOutput').mockImplementation(jest.fn())
+
+  await run()
+
+  expect(core.startGroup).toHaveBeenCalledWith(
+    expect.stringContaining('Outputting metadata for 1 updated dependency')
+  )
+
+  expect(core.setOutput).toHaveBeenCalledWith(
+    'updated-dependencies-json',
+    [
+      {
+        dependencyName: 'coffee-rails',
+        dependencyType: 'direct:production',
+        updateType: 'version-update:semver-minor',
+        directory: '/',
+        packageEcosystem: 'nuget',
+        targetBranch: 'main',
+        prevVersion: 'v4.0.1',
+        newVersion: 'v4.2.2',
+        compatScore: 0,
+        alertState: '',
+        ghsaId: '',
+        cvss: 0
+      }
+    ]
+  )
+
+  expect(core.setOutput).toBeCalledWith('dependency-names', 'coffee-rails')
+  expect(core.setOutput).toBeCalledWith('dependency-type', 'direct:production')
+  expect(core.setOutput).toBeCalledWith('update-type', 'version-update:semver-minor')
+  expect(core.setOutput).toBeCalledWith('directory', '/')
+  expect(core.setOutput).toBeCalledWith('package-ecosystem', 'nuget')
+  expect(core.setOutput).toBeCalledWith('target-branch', 'main')
+  expect(core.setOutput).toBeCalledWith('previous-version', 'v4.0.1')
+  expect(core.setOutput).toBeCalledWith('new-version', 'v4.2.2')
+  expect(core.setOutput).toBeCalledWith('compatibility-score', 0)
+  expect(core.setOutput).toBeCalledWith('alert-state', '')
+  expect(core.setOutput).toBeCalledWith('ghsa-id', '')
+  expect(core.setOutput).toBeCalledWith('cvss', 0)
+})
+
 test('it sets the updated dependency as an output for subsequent actions when given a commit message for library', async () => {
   const mockCommitMessage =
     'Update rubocop requirement from ~> 1.30.1 to ~> 1.31.0\n' +